The Swif Desktop App on macOS may ask for user input to grant a Secure Token to the Swif Admin account. This process ensures that Swif Admin can perform essential tasks, such as managing and changing account passwords, which require a Secure Token. Below is a detailed explanation of why this is necessary and how it works.
What is a Secure Token?
A Secure Token is a macOS feature that allows an account to perform privileged actions, such as resetting other user passwords. Without a Secure Token, the Swif Admin account cannot manage device users or their passwords effectively.
Why Does Swif Ask for a Secure Token?
Password Management
If the Swif Admin account does not have a Secure Token, it cannot change the password for accounts that have one. The Secure Token ensures the Swif Admin account can perform necessary administrative functions securely.Compatibility with Installation Methods
Desktop App Installation: The Swif Admin account is created during installation, and a Secure Token is automatically granted.
DEP (Device Enrollment Program) or Silent Installer: These methods do not grant a Secure Token to the Swif Admin account during installation. The Swif Desktop App will request user input to resolve this.
Daily Monitoring
Since any user account can receive a Secure Token at any time, the Swif Agent checks daily to ensure that the Swif Admin account has one. If it does not, the agent will prompt the user for their password to grant a Secure Token to Swif Admin.
How It Works
Checking for Secure Token
Swif checks whether the Swif Admin account has a Secure Token using the following command:/usr/sbin/sysadminctl -secureTokenStatus {{USER_NAME}}Requesting User Password
If the Swif Admin account lacks a Secure Token and the current user has one, the Swif Desktop App will open every 10 minutes to request the user's password. This step is necessary because only a user with a Secure Token can grant it to another account.Granting Secure Token
When the user provides their password, Swif uses it to grant a Secure Token to the Swif Admin account.
When Will You See This Prompt?
DEP or Silent Installation
The Swif Admin account is created but does not automatically receive a Secure Token.Swif Admin Account Deleted or Recreated
If the Swif Admin account was deleted or recreated, it may lose its Secure Token, requiring user input to regain it.Secure Token Status Changed for Any User
If any account on the device receives a Secure Token, the Swif Agent will verify the Swif Admin's status daily and request permission if needed.
Do You Need to Grant a Secure Token?
If no account on the device has a Secure Token, there is no need to enable it for Swif Admin.
However, if an account with a Secure Token exists, granting one to Swif Admin is crucial for complete administrative functionality.
What Happens Next?
Once the user provides their password:
The Swif Admin account will receive a Secure Token.
The Swif Admin account can perform privileged operations such as resetting passwords and managing accounts.
This process ensures smooth and secure device management with Swif, while complying with macOS security requirements. If you encounter any issues, please contact Swif support for assistance.